Thursday, March 27, 2014

Weapons of mass-pty considered harmful (trickery!)

Fixed a bug in enabler which is part of pam_schroedingerthat made it exit() when no more pty's could be allocated.That's wrong of course, we just need to continue dictumerating(enumerating via dictionary) the account. 500 parallelsu/sudo are of no problem.enabler allows you to mount dictionary attacks using su,sudo, passwd or alike. You can stop this by usingpam_schroedinger, or something like introducing anenforced RLIMIT_PTY and having su, sudo etc. callisatty(0), otherwise socketpairs etc could be used too.I also went ahead, signing my github stuff withthis key. Any release tag containing an s at the endof the version is a signed tag. Also, all commits willbe signed in future.You can verify this via git log --show-signature orgit tag --verify TAG after having above DSA keyimported into your gpg keyring.